ClawHub

WTT

Security checks across malware telemetry and agentic risk

Overview

This is a real WTT channel plugin, but installing it would let WTT control much more of the agent and local state than the setup text makes clear.

Install only if you intend WTT to be a powerful remote control channel for your OpenClaw agent. Before enabling it, replace the wildcard WTT command allowance with a narrow allowlist, restrict trusted senders/topics, use least-privilege or disposable tokens, verify the package version and cloud URL, review or disable task execution/update/delegate paths, and understand that tokens, E2E material, task state, topic memory, media, and project context may be stored or exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises installation, enablement, gateway restart, and bootstrap steps that inherently invoke shell commands, network access, and credential handling, yet it declares no permissions. This under-specifies the skill's operational capabilities and prevents users or policy engines from making an informed trust decision before installation and onboarding.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description presents the skill as a simple plugin distribution/bootstrap entry, but the referenced behavior includes persistent remote connectivity, inbound command routing, task execution, config mutation, media download, caching, encryption handling, and self-update flows. This mismatch is dangerous because users may authorize a seemingly narrow setup skill while actually enabling a much broader remote-control and data-handling surface.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script downloads external media and writes it into a local cache, which is a materially broader capability than the skill metadata describes. Hidden or under-disclosed network and file-write behavior is dangerous because it can be used to fetch attacker-controlled content, consume disk/bandwidth, and expand the trust boundary of what appears to be a simple plugin bootstrap/install skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code issues outbound requests to arbitrary HTTP(S) URLs extracted from topic content, which is effectively attacker-influenced network access. This creates SSRF-style risk against internal services, metadata endpoints, or other sensitive network locations reachable from the host, and also permits retrieval of malicious or oversized content despite basic byte/time limits.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The plugin pulls knowledge-base and project-context data and injects local file paths into agent context even though the stated purpose is just WTT install/bootstrap. That expands the data-access surface significantly: a user enabling a messaging plugin may unknowingly grant the agent access to local project metadata and cached KB content, increasing risk of unintended data exposure through prompts, replies, logs, or downstream tools.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This module patches remote task status and triggers task execution from inbound channel events, which is materially more powerful than a distribution/bootstrap entry. If misconfigured, abused via inbound messages, or unexpectedly enabled, it can cause unauthorized workflow execution, state changes, and side effects on remote tasks without the user realizing the channel plugin has operational control.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The setup flow expands `commands.allowFrom.wtt` to include `*`, granting the WTT channel blanket permission to invoke all commands rather than only enabling the plugin and storing credentials. In the context of a remote channel plugin, this materially increases the attack surface: any actor able to send messages through WTT could reach powerful agent commands that were not previously exposed to that channel.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This is the concrete security issue underlying the previous finding: the code unconditionally appends a wildcard authorization for the WTT channel. Because this plugin bootstraps a remote communications channel using agent credentials, wildcard command access can turn channel compromise, misconfiguration, or untrusted remote users into full agent command execution.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The client responds to an in-band `e2e_key_request` by transmitting `key_b64: toBase64(this.e2eKey)` over the same server-controlled WebSocket session. That defeats end-to-end encryption by disclosing the raw symmetric key to the remote side or to any actor able to trigger or impersonate such requests, enabling retrospective and future decryption of protected content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to pass `agent_id` and especially `agent_token` directly on the command line, which can expose secrets through shell history, process listings, audit logs, CI logs, or terminal recording tools. Because these are bootstrap credentials for a messaging/channel plugin, exposure could let an attacker bind or impersonate the agent against the WTT service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions tell users to pass agent_id and agent_token directly on the command line without any warning about secrecy, storage, shell history exposure, or log leakage. Secrets entered this way can be recovered from terminal history, process listings, CI logs, or support transcripts, leading to account takeover or unauthorized use of the WTT agent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The help/output does not clearly warn that the tool may contact remote hosts and create local media files, which can mislead operators about the script's actual behavior. In the context of a plugin whose stated purpose is installation/bootstrap, this under-disclosure increases risk because users may run it with more trust than they would grant a downloader that processes untrusted content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script forcibly uninstalls any existing plugin named 'wtt' without warning, confirmation, or validation that it is the same package/version the installer intends to replace. In a plugin-distribution context, this can silently remove a legitimate or locally customized plugin and replace it with code fetched from an external package source, creating integrity and availability risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code auto-generates an E2E password and persists it into the user's local configuration file without an explicit consent flow. Silent credential material creation and storage can surprise operators, weaken change-control expectations, and create security debt if the config file has broader readability or is later exfiltrated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code trusts `OPENCLAW_CONFIG_PATH` from the environment and then rewrites that path with `fs.writeFile` and `fs.rename` without validating that it points to the expected OpenClaw config file. If an attacker can influence the environment of the agent process, they can redirect this write to an arbitrary file writable by the service account, causing configuration corruption or targeted file overwrite.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The scheduler builds and publishes heartbeat payloads that may include `sessionKey` and other operational metadata without any minimization, redaction, or explicit consent boundary in this code path. If `publish` sends these heartbeats to a remote service, session identifiers could be exposed in telemetry or logs, increasing the risk of tracking, correlation, or token/session misuse depending on how `sessionKey` is used elsewhere.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The queue store serializes the full task intent to JSON and writes it to disk, which includes apiContext.token when present. Persisting bearer tokens or similar credentials in plaintext increases the chance of credential theft via local file disclosure, backups, logs, or other processes/users with filesystem access. In this plugin context, the skill bootstraps channels using agent credentials, so storing task execution data on disk is more sensitive than generic queue state.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The executor forwards full task content, generated prompt text, and the accountId to a pluggable invokeTaskInference hook, which may be backed by an external model provider. In this file there is no consent gate, data-minimization step, allowlist, or boundary check on where that hook sends data, so sensitive task data and tenant identifiers can be disclosed outside the trusted runtime.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code persists TaskRunExecutorIntent, which includes apiContext, and later reconstructs authenticated requests from apiContext.token by placing it into Authorization and X-Agent-Token headers. If the persistence backend is readable by other local users, copied in backups, or recovered after compromise, long-lived API credentials can be exposed and reused for authenticated task operations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code sends the base64-encoded E2E key back over the active connection with no visible user approval, disclosure, or secondary verification. Because the feature is embedded in a persistent authenticated cloud client for a plugin whose stated purpose is only bootstrap/installation, the context makes this more dangerous: users would not reasonably expect escrow or remote export of their decryption key.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This test script automatically registers accounts and performs authenticated requests against a live third-party service at https://www.waxbyte.com using hardcoded credentials, without any explicit warning, consent gate, or safe test-environment restriction. In an agent-skill context, users or CI systems may run the file expecting a local/inert test, but it will transmit credentials, create remote accounts, and send message content to an external service, creating privacy, compliance, and unintended network-interaction risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal